Connection: Loose Comparison for Port Number in Signatures#14111

mdawaffe · 2019-11-22T22:34:34Z

Changes proposed in this Pull Request:

When WordPress is hosted behind a reverse proxy, we ask site owners to add a X-Forwarded-Port header from the reverse proxy to the origin so that Jetpack can know what port to use in the signature's input.

We also allow site owners to define JETPACK_SIGNATURE__HTTPS_PORT and JETPACK_SIGNATURE__HTTP_PORT constants if adding a header is not possible.

Often, site owners will add the following snippet to their wp-config.php to make use of those constants:

define( 'JETPACK_SIGNATURE__HTTP_PORT', $_SERVER['SERVER_PORT'] );
define( 'JETPACK_SIGNATURE__HTTPS_PORT', $_SERVER['SERVER_PORT'] );

Unfortunately, we broke that snippet in #13489, since we moved to strict comparisons in:

jetpack/packages/connection/legacy/class-jetpack-signature.php

Line 95 in 97cc7bb

$port = in_array( $host_port, array( 443, 80, $https_port ), true ) ? '' : $host_port;
jetpack/packages/connection/legacy/class-jetpack-signature.php

Line 103 in 97cc7bb

$port = in_array( $host_port, array( 80, $http_port ), true ) ? '' : $host_port;

$_SERVER['SERVER_PORT'] is a string in most environments, and the new code demands integers.

Switch back to loose comparison.

Is this a new feature or does it add/remove features to an existing part of Jetpack?

No: bug fix

Testing instructions:

There's not a good way to test this unless you have a site running on a custom port behind a reverse proxy running on a normal port :(

Proposed changelog entry for your changes:

Fix communication between Jetpack sites and WordPress.com for some sites hosted on non-standard ports.

…ures When WordPress is hosted behind a reverse proxy, we ask site owners to add a `X-Forwarded-Port` header from the reverse proxy to the origin so that Jetpack can know what port to use in the signature's input. We also allow site owners to define `JETPACK_SIGNATURE__HTTPS_PORT` and `JETPACK_SIGNATURE__HTTP_PORT` constants if adding a header is not possible. Often, site owners will add the following snippet to their wp-config.php to make use of those constants: ``` define( 'JETPACK_SIGNATURE__HTTP_PORT', $_SERVER['SERVER_PORT'] ); define( 'JETPACK_SIGNATURE__HTTPS_PORT', $_SERVER['SERVER_PORT'] ); ``` Unfortunately, we broke that snippet in #13489, since we moved to strict comparisons in: * https://github.com/Automattic/jetpack/blob/97cc7bb9b26d4184ba4915efd5928e59d4456b38/packages/connection/legacy/class-jetpack-signature.php#L95 * https://github.com/Automattic/jetpack/blob/97cc7bb9b26d4184ba4915efd5928e59d4456b38/packages/connection/legacy/class-jetpack-signature.php#L102 `$_SERVER['SERVER_PORT']` is a string in most environments, and the new code demands integers. Switch back to loose comparison.

mdawaffe · 2019-11-22T22:36:33Z

If we do a point release, this should be in it.

jetpackbot · 2019-11-22T22:38:28Z

	Warnings
⚠️	`pre-commit` hook was skipped for one or more commits

This is an automated check which relies on PULL_REQUEST_TEMPLATE. We encourage you to follow that template as it helps Jetpack maintainers do their job. If you think 'Testing instructions' or 'Proposed changelog entry' are not needed for your PR - please explain why you think so. Thanks for cooperation 🤖

Generated by 🚫 dangerJS against b37f494

mdawaffe · 2019-11-22T22:44:01Z

Sorry about the [not verified]. I did actually verify, then had to do some rebase shenanigans :)

brbrr · 2019-11-23T09:13:11Z

Jetpack e2e tests were complaining about that change, so we figured this fix: #13523, which seems not fixing all the issues

jeherve

LGTM. Merging.

…ures (#14111) When WordPress is hosted behind a reverse proxy, we ask site owners to add a `X-Forwarded-Port` header from the reverse proxy to the origin so that Jetpack can know what port to use in the signature's input. We also allow site owners to define `JETPACK_SIGNATURE__HTTPS_PORT` and `JETPACK_SIGNATURE__HTTP_PORT` constants if adding a header is not possible. Often, site owners will add the following snippet to their wp-config.php to make use of those constants: ``` define( 'JETPACK_SIGNATURE__HTTP_PORT', $_SERVER['SERVER_PORT'] ); define( 'JETPACK_SIGNATURE__HTTPS_PORT', $_SERVER['SERVER_PORT'] ); ``` Unfortunately, we broke that snippet in #13489, since we moved to strict comparisons in: * https://github.com/Automattic/jetpack/blob/97cc7bb9b26d4184ba4915efd5928e59d4456b38/packages/connection/legacy/class-jetpack-signature.php#L95 * https://github.com/Automattic/jetpack/blob/97cc7bb9b26d4184ba4915efd5928e59d4456b38/packages/connection/legacy/class-jetpack-signature.php#L102 `$_SERVER['SERVER_PORT']` is a string in most environments, and the new code demands integers. Switch back to loose comparison.

jeherve · 2019-11-25T07:44:59Z

Cherry-picked to branch-7.9 in c15baec

* 8.0 Release: running changelog * Changelog: add #13921 * Changelog: add #13980 * Changelog: add #13905 * Changelog: add #13971 * Changelog: add #13984 * Changelog: add #14009 * Changelog: add #13620 * Remove things that will ship in 7.9.1 * Changelog: add 7.9.1 release (#14044) * Changelog: add base for 7.9.1 release * Update release date and post link * Changelog: add #14066 * Update changelog for 7.9.1 * Changelog: add #13405 * Changelog: add #13841 * Changelog: add #13924 * Changelog: add #13986 * Changelog: add #14010, #14028, #14053, #14055. * Changelog: add #14054 * Changelog: add #14031 * Changelog: add #14039 * Changelog: add #14050 * Changelog: add #14070 * Changelog: add #14082 * Changelog: add #14084 * Changelog: add #14111 * Changelog: add #13961 * Changelog: add #14047 * Changelog: add #14091 * Changelog: add #14108 * Changelog: add #14121

mdawaffe added Bug When a feature is broken and / or not performing as intended [Pri] High Connect Flow Connection banners, buttons, ... [Status] Needs Package Release This PR made changes to a package. Let's update that package now. labels Nov 22, 2019

mdawaffe requested review from a team, kbrown9, tyxla and zinigor November 22, 2019 22:34

mdawaffe added this to the 7.9.2 milestone Nov 22, 2019

kraftbj added the [Status] Needs Cherry-Pick label Nov 22, 2019

jeherve approved these changes Nov 25, 2019

View reviewed changes

jeherve merged commit 1297eee into master Nov 25, 2019

jeherve deleted the fix/signature-port-comparison branch November 25, 2019 07:44

matticbot added the [Status] Needs Changelog label Nov 25, 2019

jeherve added [Status] Has Changelog and removed [Status] Needs Cherry-Pick [Status] Needs Package Release This PR made changes to a package. Let's update that package now. [Status] Needs Changelog labels Nov 25, 2019

jeherve added a commit that referenced this pull request Nov 25, 2019

Changelog: add #14111

5b0ee5d

jeherve modified the milestones: 7.9.2, 8.0 Nov 26, 2019

htdat mentioned this pull request Jan 12, 2020

Connection: server port has unexpected value #13885

Closed

leogermani mentioned this pull request Nov 4, 2020

Handle empty SERVER_PORT information on signature checks #17713

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Connection: Loose Comparison for Port Number in Signatures#14111